June 14, 2008

Spotting an eBay Phish [Updated]

This post is for eBay users out there, especially those who actively sell items through the auction site. It is you sellers for whom the following phishing spam can be troublesome if you're not on the lookout for crooks trying to nab your login credentials. Note that what I'm saying here applies to all users, regardless of operating system—this is not a Windows-only situation, because Mac and Linux eBay users can lose their login credentials just as quickly as anyone if they respond to these types of phishing messages.

Here is a message that found its way into my email client today:

I have blocked out only two pieces of information—the user name of an email account that might be a real address of an innocent bystander. There is nothing else in this message that has association with reality, but more about that in a moment.

If you are an active eBay seller, you have probably received messages from potential buyers asking questions about an auction or item you have for sale. If you have your preferences set to send these messages to your account email address, such messages look like the one above—at least in a macro sense. Look a little closer, however, and there are numerous signals that this is not genuine.

The first signal is that the recipient is not named at the top of the message (to the right of the eBay logo). Although the message accurately snatched eBay's warning ("Your registered name is included to show this message originated from eBay."), the supposed sender's name is shown, not the recipient's.

The second signal is evident if you take a moment to roll your mouse over the Respond button (or, in this case, all links in the message). Most email clients reveal at least the start of the hidden URL associated with a clickable image. In the above screen shot, I've positioned the mouse above the button to reveal (down in the bottom status bar) the destination URL. This button ain't goin' to eBay, but to a Danish web site (the .dk country domain), whose page would replicate eBay's login screen, prompting you to enter your login ID and password. I normally block out these addresses in images shown here, but the ISP hosting that domain was Johnny-on-the-spot and had suspended the entire site by the time I saw this message. That warmed my cochleae cordis.

So, those are two obvious things you can see without having to know anything about email message headers or how legitimate versions of this type of message operate. Although in smaller, grey print, the use of last year's copyright date would be a third clue.

In contrast, I'll show you a genuine message of this type from my own inbox:

You'll immediately notice that I have redacted a lot of material, some for privacy reasons, and some for the sake of eliminating any kind of self-promotion of one of my (now ended) auctions. But the amount of redactions—compared to the phony message earlier—is also a good indication of how much truly identifiable information is conveyed in genuine eBay messages of this type. For example:

My name and eBay user ID are explicitly mentioned at the top of the message (to the right of the eBay logo).

My eBay user ID is used in the salutation ("Dear so-and-so") of the message.

Very explicit details about the auction item, including title (which also appears in the Subject: line), are spelled out in full.

Using the rollover test, the link attached to the Respond button begins with something that looks legitimate. But because the complete URL isn't shown, it is not sufficient to trust the link just by that fragment. A long URL can be coded in a way in which a legitimate-looking prefix is actually ignored, and some other site becomes the real destination.

Just because the second message appears to be genuine should not be enough, however. Although phishers tend to work in bulk, a more diligent crook could specifically target you with a message that looks exactly like the second one above. Indeed, the crook would have to do a little research, but everything he would need to replicate this message—except your email address, unless you also (foolishly) include that in your item description—can be derived directly from any one of your auction listings.

How, then, can you prevent yourself from being fooled by a bogus eBay email message? You can continue to let your email inbox receive copies of eBay messages, but never, ever, ever respond to one of these messages through your email client. Instead, log into your eBay account as you normally do, and visit the "My eBay" section of the site, where you can find a link to your messages ("My Messages"). Use only the My eBay message facilities to send and receive initial contacts with eBayers you don't know. Additionally, whenever you send a message or reply to someone's query, be sure to check the box at the end that prevents your email address from being sent with the message. Let eBay provide the address only to those who buy from you, or from whom you buy stuff.

Additionally, heed eBay's further advice about keeping transactions solely within the eBay system. If someone has had his or her eBay login credentials phished, that means that a crook can hijack the account and initiate a shady, off-eBay deal with you through the eBay My Messages system. The minute you or another party try to get creative, you lose any protection that eBay might afford you if you follow the rules.

EBay accounts and goods offered on eBay are rich targets for crooks. I hear countless stories from former eBay users who won't touch it because of a bad experience. I suspect a large percentage of those folks are mad at eBay because the company wouldn't make good on a foolish mistake the user made. It's like getting mad at the bank whose Automated Teller Machine yielded hundreds of dollars from your account to the friend of your roommate to whom you gave your ATM card and PIN.

I've bought and sold casually on eBay since December of 1996. Even as I write this, I have some hobby-related items up for auction. Perhaps the key to being a happy user is remaining vigilant against possible intruders or those trying to "game" the system. Keeping an eye out for phony messages is one of the first steps you should take to prevent yourself from getting into trouble.

UPDATE (17June2008): This bogus eBay seller, magali7577, has shown up on similar phishing messages to French ebayers, with the message and destination phishing site replicating French eBay material. Merde!

Posted on June 14, 2008 at 06:29 PM

SPAM WARS Our Last Best Chance To Defeat Spammers, Scammers and Hackers